`onepasswordDetailsFields` fails : `error initializing client: You are not currently signed in`

[CamilleHbp]

Describe the bug

When using the onepasswordDetailsFields template functions, 1password-cli tells me I'm not signed in, though I am.

It seems that the command is run when evaluated and fails before I can even prompt the user to sign in. I have tried to sign in in a script run before the one calling the template function, and it still tell me I am not signed in.

To reproduce

EDIT: I have tried to setup a minimal repo that fails on my machine on a new branch fix/1password.

Use op signin then onepasswordDetailsFields function in a script.

I've tried attribution the value to a template variable with a with go template, but it doesn't change the result.

log_task "[SSH] 1password signin"
eval $(op signin --account {{ .op_domain }})
log_success "[SSH] 1password signed in"

log_task "[SSH] Copying SSH keys"
mkdir -p ~/.ssh
if [ ! -f "id_ed25519" ]; then
    {{ with $private_key := (onepasswordDetailsFields "********************").private_key.value }}
        touch ~/.ssh/id_ed25519 && chmod 0600 ~/.ssh/id_ed25519
        echo {{ $private_key | quote }} >> ~/.ssh/id_ed25519
    {{ end }}
fi

Expected behaviour

User should be allowed to sign in and the template function should run without problems.

Output of command with the --verbose flag

$ chezmoi --verbose apply

🔃 [1password] SETUP
Enter the password for ****@**.** at my.1password.com:
Now run 'eval $(op signin)' to sign in.
Enter the password for****@**.** at my.1password.com:
✅ [1password] DONE
[ERROR] 2022/12/20 10:22:03 error initializing client: You are not currently signed in. Please run `op signin --help` for instructions
chezmoi: template: .chezmoiscripts/run_after_onchange_11-configure-ssh.sh.tmpl:60:13: executing ".chezmoiscripts/run_after_onchange_11-configure-ssh.sh.tmpl" at <onepasswordDetailsFields "***********">: error calling onepasswordDetailsFields: /usr/local/bin/op item get --format json **********: exit status 1

Output of chezmoi doctor

```console $ chezmoi doctor RESULT CHECK MESSAGE ok version v2.28.0, commit 8e9ed2eee04b708b4d7531863e47b5c5a876050f, built at 2022-12-18T18:40:56Z, built by goreleaser ok latest-version v2.28.0 ok os-arch darwin/arm64 ok uname Darwin Camilles-MacBook-Pro.local 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:03:51 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T6000 arm64 ok go-version go1.19.4 (gc) ok executable ~/.local/bin/chezmoi ok upgrade-method replace-executable ok config-file ~/.config/chezmoi/chezmoi.toml, last modified 2022-12-20T10:14:54+01:00 warning source-dir ~/.local/share/chezmoi is a git working tree (dirty) ok suspicious-entries no suspicious entries warning working-tree ~/.local/share/chezmoi is a git working tree (dirty) ok dest-dir ~ is a directory ok umask 022 ok cd-command found /opt/homebrew/bin/zsh ok cd-args /opt/homebrew/bin/zsh info diff-command not set ok edit-command found /opt/homebrew/bin/nvim ok edit-args /opt/homebrew/bin/nvim ok git-command found /opt/homebrew/bin/git, version 2.39.0 ok merge-command found /usr/bin/vimdiff ok shell-command found /opt/homebrew/bin/zsh ok shell-args /opt/homebrew/bin/zsh info age-command age not found in $PATH info gpg-command gpg not found in $PATH info pinentry-command not set ok 1password-command found /usr/local/bin/op, version 2.11.0 info bitwarden-command bw not found in $PATH info gopass-command gopass not found in $PATH info keepassxc-command keepassxc-cli not found in $PATH info keepassxc-db not set info keeper-command keeper not found in $PATH info lastpass-command lpass not found in $PATH info pass-command pass not found in $PATH info passhole-command ph not found in $PATH info vault-command vault not found in $PATH info secret-command not set ```

Additional context

I've tried to be as specific as I could, but it might be a messy report. Is there a way to easily set a chezmoi minimal repo to repoduce the error, without affecting my config? Thanks! :)

[halostatue]

You should eval $(op signin --account FOO) before running chezmoi.

[CamilleHbp]

Doesn't it make it impossible to run sh -c "$(curl -fsLS get.chezmoi.io)" -- init --apply ${MY_DOTFILES_REPO} and have a nice setup on a brand new machine? Because it means I have to manually install a bunch of stuff before running chezmoi, and it defeats the purpose.

Or did I misunderstand something?

Example:

I could install the 1password app and use it to connect the CLI. But that would mean that I need to install Homebrew myself on the machine, since I use it to manage most of my apps. And that defeats the purpose of using chezmoi for me. :S Unless that's not the purpose of chezmoi and I should use another tool?

[halostatue]

So… Chezmoi can try to log into 1Password automatically (you don’t have the setting which disables the login prompt, that I can see), but when executing it cannot inherit the environment of a child process, which is what you’re doing when you call eval $(op signin account --FOO) inside of a script.

I’m not entirely sure why the 1Password integration can’t see the account after the initial SETUP phase (.chezmoiscripts/run_after_onchange_10-configure-1password.sh.tmpl:45-49), and that’s something that will take some debugging which I don’t have time to do until the 29th or so.

Chezmoi is definitely a multipurpose too, and you can use it to install many things (and I do), but I have recently started installing 1Password (both CLI and desktop) directly rather than with Homebrew or Macports, although I install quite a few other things with Homebrew and Macports using Chezmoi scripts.

[CamilleHbp]

Okay, I'll be waiting gladly for some more info on this :) If you need some actions from me, when you have the time to debug, don't hesitate to ask me!

[CamilleHbp]

In the meantime, I've solved the issue by not using eval $(op signin) at all. This causes chezmoi to automatically prompt for the password when using the template function, and incidentally solves my issue. 🤷 Works for me, but I'm still interested in helping investigate. 😆 Signed, David Goodenough.

[halostatue]

I think that I have a suggestion, but you’ll need to do tell 1Password to forget your account. Then try something like this in your template:

{{ $domain := printf "%s.1password.com" .op_domain }}
{{ $email := quote .op_email }}
{{ $secret := quote .op_secret }}
{{ $result := (output "op" "account" "add" "--address" $domain "--email" $email "--secret-key" $secret) }}

I don’t know how well it will work, but if that runs before onepasswordDetailsFields, then the account should be added by time that onepasswordDetailsFields runs. If this does work, then it may be worth considering a no-output exec function for cases like this.

onepasswordDetailsFields will work perfectly if 1Password already knows about the account. It won’t work at all if it doesn’t.

[CamilleHbp]

I've told 1password-cli to forget the account and I've run my script again, using op account add --address {{ .op_subdomain }}.1password.com --email {{ .op_email | quote }} --secret-key {{ .op_secret | quote }} as before, and as long as I don't call eval $(op signin) before, everything works fine.

[halostatue]

Weird. I don’t even have any ideas on how to investigate that part.

[CamilleHbp]

I'll try to find a way to set it up on a new machine someday and check that. I'm sorry I can't be more useful :S

[halostatue]

Not a problem. I’m glad that we have this working, but I think that it was a bit of a race condition where the op account add… wasn’t executing before eval $(op signin) was, but I believe that the issue is entirely external to chezmoi except in that how you were setting things up was run by chezmoi.

If you manage to get this reproduced, please feel free to reopen this issue or file a new one.